Intel, along with the other companies at the centre of the Spectre and Meltdown controversy, are back in the bad books after it has emerged that the chipmakers didn’t reveal the flaws to US cyber security officials until they were leaked to the public.
As revealed by letters sent to the US Congress on Thursday, by the seven firms embroiled in the scandal, Alphabet informed Intel of the flaws six months before they were revealed publicly.
As you’d expect, government officials aren’t too happy that they weren’t informed because of ‘national security implications’. Intel has argued that it didn’t think that it was too important to share as hackers had not exploited the vulnerabilities.
More specifically, as Reuters writes, Intel "did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until January 3rd".
US-CERT is the body that issues warnings about cyber security issues to both the private and public sector. The organisation has not commented on this latest revelation yet.
The letters addressed to Congress were sent by Intel, Alphabet and Apple on Thursday. They were responding to questions from Oregon Republican Greg Walden, who is the chair of the House Energy and Commerce Committee.
Alphabet effectively shifted the blame, saying that security researchers at its Google Project Zero told Intel, AMD and ARM about the problems back in June. In addition to the warning, the chipmakers were given 90 days to fix the issues before disclosing them to the public.
The Google-owning Alphabet said that it left the decision of informing the government up to the companies themselves.
Intel’s excuse for not telling the government was that there was “no indication that any of these vulnerabilities had been exploited by malicious actors”. The chipmaker added that it didn’t think that the flaws could affect industrial control systems and as such did not perform an analysis. Intel did however inform other vendors that use its chips.
Lastly, Microsoft said it told antivirus software makers about the flaws ‘several weeks’ ahead of the leak to give them time to avoid compatibility issues, and AMD said that Alphabet extended the disclosure deadline from the standard 90 days twice, first to January 3rd, then to January 9th.